Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble Shooting Help Needed

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kiekar
      last edited by

      Hello,

      I've been having an issue updating my Kaspersky Database a little while now. The database is no longer updating. I'm on the latest version of pfSense and all latest packages updates. I viewed the Real Time access logs and noticed these entries.

      1458484291.075    39 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-18.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.202 text/html
      1458484297.498    12 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3704 GET http://dnl-04.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/4.28.136.36 text/html
      1458484304.137    102 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-17.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.199 text/html
      1458484310.421    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-10.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.116 text/html
      1458484316.922    231 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-14.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.196 text/html
      1458484323.204    12 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-11.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.116 text/html
      1458484329.582    103 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-16.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
      1458484335.893    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-07.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.125 text/html
      1458484342.272    112 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-12.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
      1458484348.786    112 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3707 GET http://dnl-09.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.124.168.119 text/html
      1458484355.265    39 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-15.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.196 text/html
      1458484361.658    122 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3706 GET http://dnl-13.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.202 text/html
      1458484367.944    13 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3704 GET http://dnl-01.geo.kaspersky.com/index/u1313g.xml.dif - ORIGINAL_DST/4.28.136.42 text/html
      1458484377.578    270 192.168.2.182 TCP_MISS/503 3727 GET http://downloads6.kaspersky-labs.com/index/u1313g.xml.dif - ORIGINAL_DST/38.117.98.253 text/html
      1458484603.675    892 192.168.2.182 TCP_CLIENT_REFRESH_MISS/503 3719 GET http://dnl-07.geo.kaspersky.com/updaters/updater.xml.dif - ORIGINAL_DST/38.124.168.116 text/html

      I'm not sure on how to configure pfSense to allow the connection to update my anti virus data base. Your help would be much appreciated.

      1 Reply Last reply Reply Quote 0
      • H Offline
        heper
        last edited by

        real time access logs of what? proxy ? try to disable it

        1 Reply Last reply Reply Quote 0
        • K Offline
          kiekar
          last edited by

          what? proxy

          I'm using Squid3 0.4.7. Disabling it doesn't work.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            are you using it explicit or implicit mode?  What are you rules on this network interface?  If you point a client to a proxy and then turn off the proxy, then yeah no shit not going to work.. If you use transparent and have rules to intercept traffic and only allow your proxy port again turning of the proxy is not going to work..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • K Offline
              kiekar
              last edited by

              I have squid set as transparent mode. Out bound is also blocked.

              KAV_firewall_log.jpg
              KAV_firewall_log.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                So you have a floating rule blocking outbound traffic on your wan?  OR you have snort installed doing it?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mer
                  last edited by

                  With no packages and default rules on a pfSense box, Kaspersky IS updates just fine for me.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    You can see from what he posted he has a outbound rule setup on his WAN that is blocking traffic to port 80.  If he would turn on listing the rule description in the log settings could tell you exactly which rule it is.  The only place you can set outbound rules in the floating tab.. So post up your floating tab so we can see the rules.

                    logsettings.png
                    logsettings.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kiekar
                      last edited by

                      I do have one floating rule which was auto generated from pfBlockerNG. I did change the settings for firewall logs which I was never aware of which pointed me to SNORT

                      Mar 20 16:48:58 Direction=OUT WAN Block snort2c hosts (1000000118) Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List xx.xxx.xxx.xxx:56894 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 38.124.168.116:80 TCP:S

                      I did check SNORT before but I couldn't see any of the IPs logged on the Alert Tab and Blocked Tab.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        I really really wish they would be very large bold letter caveats when installing tools like pfblocker and for sure snort and even the proxy - that lack of understanding will BREAK your shit ;) hehehe

                        Snort can take quite a bit of tweaking of the rules before it is of anything other than log noise generation tool… Putting it into block mode before you have spent the required time tweaking the rule set to weed out noise, etc.. is just asking for shit to break..

                        While I like the idea of pfblocker, it too is a very quick and easy way to break shit when you don't understand its actual use.. Letting it auto create rules if you ask me is a REALLY BAD idea..  If you want to use it to block countries IP ranges, and or remove ads then use the rules in alias mode and place the specific rules you want.

                        In general letting stuff block stuff for you automatically is going to lead to shit not working, and you not understanding why..

                        As to the proxy, unless you have a bunch of puberty  age boys that your trying to block from porn ville it serves little use in anything other than a corp environment.. And just another thing that could break your shit for very little added benefit..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.